STE WILLIAMS

In the latest move by a major industrial control systems (ICS) vendor to beef up its cybersecurity portfolio, Rockwell Automation has announced plans to purchase Israeli cybersecurity services firm Avnet Data Security.

Rockwell Automation yesterday said it has signed an agreement to buy the privately held Avnet Data Security, which provides penetration testing, assessments, training, and managed network and security services for the ICS sector. The company said cybersecurity is one of the fastest-growing segments of the services side of its business. 

“Avnet’s combination of service delivery, training, research, and managed services will enable us to service a much larger set of customers globally while also continuing to accelerate our portfolio development in this rapidly developing market,” said Frank Kulaszewicz, senior vice president of control products and solutions at Rockwell Automation.

Financial details of the deal, which is expected to close in early 2020, were not disclosed.

Read more here. 

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Car Hacking Hits the Streets“

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/risk/rockwell-automation-to-buy-ics-security-services-firm/d/d-id/1336754?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

What’s on your network? It’s a simple question, but one that countless security and network management teams struggle to answer because most enterprise networks are dynamic, living things that change at a rapid pace. That change is the key to adapting to a changing business environment — and key to criminals’ ability to breach the perimeter and gain access to enterprise assets.

Security teams tend to have a very good idea of what the network looked like on the day it went live. Nevertheless, conversations with consultants (and over drinks at conferences) overflow with complaints and confessions about how those same teams are ignorant of what the network looks like right now. That’s a problem. And it becomes a bigger problem when it runs into the reality of the way that criminal hackers work.

Criminal hackers specialize in understanding how a targeted network is configured today. The extent to which they understand every component and interface is the extent to which they can find exploitable vulnerabilities. And those weaknesses are even more vulnerable if the network owner doesn’t know they exist.

So one of the first steps in protecting a network is understanding precisely what is there to be protected. There are a number of different commercial products that can help provide an inventory and map of a network. But for many smaller organizations, even lower cost tools can be difficult additions to the security budget. That’s why the focus of this article is on free products that provide network visibility and monitoring.

Some of the products on this list are open source and some are not. Several of them may require an investment of time and effort to make up for the lack of a purchase price. Regardless, each of these could be a way for a security team to either get its first solid picture of its current network or augment the view provided by other tools. In either case, visibility is always a good thing.

We’re curious; are there free or open source network discovery and monitoring tools that you use? Are there any that you’ve tried and abandoned? We’d like to hear about your experience — let us know in the comment section, below!

(Image: GoodIdeas VIA Adobe Stock)

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/analytics/security-monitoring/7-free-tools-for-better-visibility-into-your-network/d/d-id/1336751?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Today’s security operations centers (SOCs) are struggling. Cyber threats are ever-increasing and growing daily in sophistication. Massive volumes of data created every second lead to new vulnerabilities and attack vectors. How do SOCs keep pace with the threats happening across the landscape and better understand them to increase their organization’s security posture?

A Ponemon Institute survey, “Improving the Effectiveness of the Security Operations Center,” found that 53% of respondents believe their SOC is ineffective at gathering evidence, investigating, and finding the source of threats. To be effective, SOCs must have access to the right data with the right context at the right time to fulfill their mission of identifying and responding to threats.

Cyber threat intelligence (CTI) has become a key tool for SOCs in this mission. According to the 2019 SANS’ “Evolution of Cyber Threat Intelligence” survey, 70% of customers consider CTI a necessity for security operations. Yet many organizations still struggle to operationalize the disparate sources of threat intelligence or institute an effective culture of sharing to combine forces against adversaries.

Leveraging the Different Types of Threat Data
CTI intelligence feeds come from many sources, and there are two primary categories. The first is open source/community feeds, such as the Collective Intelligence Framework (CIF) and sector-based Information Sharing and Analysis Centers (ISACs); the second is vendor-specific and paid-for threat intelligence services (iDefense, Cisco, Team Cymru, Greynoise.io, McAfee, Symantec, ATLAS, Farsight, and Reversing Labs, to name a few). Security operations teams also produce proprietary intelligence that needs to be shared internally.

There are several challenges to making the most of this threat data, however:

• Scaling Up the Pyramid of Pain: The more useful the threat data, the more difficult (or painful) it is to obtain and integrate into workflows. Imagine a pyramid formed by threat data values versus the level of integration difficulty:

o Tactics, techniques, and procedures (TTPs): Tough (Top of pyramid)

o Tools: Challenging

o Network/host artifacts: Annoying

o Domain names: Simple

o IP addresses: Easy

o Hash values: Trivial (base of pyramid)

At the top of the pyramid is intelligence on threat actor tools and TTPs. These are the most painful indicators to detect and verify but also the most useful for knowing context about threat actors, their intentions, and their methods to understand a threat well enough to respond.

• Timing, Complexity, Taxonomy, and Formatting: The period of time for which threat data is valid is limited. Organizations need current information about vulnerabilities and malware being used in attacks before they are targeted. Intelligence feeds will have shifting levels of urgency and simplifying the prioritization process is a complex task.

In the past, security practitioners shared Word documents, PDFs, or simple file formats like CSV tables and Excel Sheets of indicators of compromise These were difficult to operationalize due to taxonomy and formatting differences, lack of integration, and the time-sensitive nature of the data. Also, it is difficult to describe and share a more complex behavioral indicator such as a threat actor tactic in a standardized format.

• Sharing and Consumption: The cyber community has tried — and failed — to institute an effective culture of sharing. Taxonomies and standards have been created but none have caught on at scale, leaving accessibility to CTI fragmented. As a result, most sharing doesn’t go beyond domains. And even though security analysts across industries share common goals, often the organization does not see it that way and sharing and collaborating is hidden from management.

Automated analysis and instantaneous sharing of threat intelligence is the key that has been missing to unlock CTI to live up to its potential value.

What Is MISP and Why Is It Important? 
MISP — the Malware Information Sharing Platform — has gained traction as a pragmatic, flexible approach to the threat intelligence consumption and sharing problem. MISP is a vendor-agnostic, open source standard with a growing community, co-financed by the European Union. It is an infrastructure for consuming, collecting, and sharing indicators of malware either in a trusted circle or with the general public, depending on the user’s preferences. MISP provides a number of benefits:

• MISP allows users to push and query known indicators of compromise collected and shared by a community of security practitioners from around the globe.

• MISP is flexible because it does not enforce a single methodology for sharing threat intelligence, and it outputs information in multiple formats.

• MISP reduces double-work within the intelligence community by sharing information across CERTs, organizations, governments, and security vendors.

• MISP provides a level of control to ensure that the right data is confidentially shared and consumed.

To operationalize threat intelligence at scale without overburdening security teams, practitioners should consider integrating MISP with their existing security information and event management (SIEM) solution. MISP is built for flexible ingestion and extraction, rapid analysis, automation, and sharing. A SIEM’s integration with MISP builds threat data consumption and threat sharing directly into the analyst workflow. This enables analysts to find and share threats much faster than before by correlating community intelligence with multiple other data sources through their SIEM.

The SANS survey found that 33.7% of organizations produce and consume threat intelligence, while 60.5% only consume it. This means that a majority of organizations recognize the value of CTI yet for different reasons currently decline to participate in sharing their findings.

Open source platforms such as MISP, combined with automated integration into SIEMs, are well positioned to drive a community-based approach to intelligence sharing. This will enable SOCs to stand together through collaborative analysis, potentially driving the industry to an inflection point for moving beyond source-to-subscriber to partner-to-partner sharing.

• 7 Stats That Show What It Takes to Run a Modern SOC
• 3 Modern Myths of Threat Intelligence
• Rethinking Enterprise Data Defense
• Assessing Cybersecurity Risk in Today’s Enterprise

Sebastien Tricaud is the Director of Security Engineering at Devo. He has worked on numerous open source projects, such as Linux PAM, Prelude IDS, etc. He is the lead developer of Faup, a URL Parser that is widely popular. Sebastien is also a board member of the Honeynet … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/operationalizing-threat-intelligence-at-scale-in-the-soc/a/d-id/1336702?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Amazon Web Services has issued an “important” warning to users of its Amazon Aurora, Amazon Relational Database Service (RDS), and Amazon DocumentDB (with MongoDB compatibility) databases, urging them to update their certificates by January 14, 2020.

Those who use SSL/TLS certificate validation when they connect to database instances are urged to download and install a fresh certificate, rotate the certificate authority (CA) for the instances, and reboot the instances. Users who don’t have SSL/TLS connections or certificate validation don’t need to make any updates; however, AWS advises doing so in case they want to use SSL/TLS connections in the future.

This process is standard: SSL/TLS certificates for RDS, Aurora, and DocumentDB expire and are replaced every five years as part of standard maintenance. Users may already have received an email or console notification alerting them to the process.

Instances created on or after January 14 will have the new (CA-2019) certificates, made available in September 2019. Users can temporarily switch back to the old (CA-2015) certificates if needed. CA-2015 certificates will expire on March 5, 2020; at this point, applications that use certificate validation but haven’t been updated will lose connectivity.

Read more details here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Car Hacking Hits the Streets“

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/aws-issues-urgent-warning-for-database-users-to-update-certs/d/d-id/1336766?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Open-source software projects continue to struggle with handling sensitive information, according to automated scans of hundreds of millions of commits to code repositories.

Software-security toolmaker DeepCode found that four of the seven vulnerabilities classes with the greatest impact on the security of software projects had to do with failures to protect data. The categories of Missing Input Data Sanitization and Insecure Password Handling laid claim to the top-two slots on the company’s list of important vulnerability classes. Two other data security issues — Weak Cryptography and Lack of Information Hiding — came in No. 6 and No. 7 on the list, which was published this week.

The issues underscore that developers need to continue to focus on producing secure code in 2020, says Boris Paskalev, CEO and co-founder of the company. “We believe that any developer who has these issues should want to take care of them,” he says, adding the developers should continue to learn about security. “In at least every other other major repository, we see a security vulnerability.”

Driven by increased research into software security, more software under development, companies’ greater openness to vulnerability reporting, and perhaps most of all – improvements to the process of recording vulnerability reports – the number of software security issues published in the National Vulnerability Database rose to the highest recorded level in 2019, surpassing 17,300 issues reported during the year.

This continues a trend that started in 2017, when the number of vulnerabilities reported annually jumped to 14,645, more than doubling the prior year’s tally.

Focusing on all the issues is impossible, so security teams and developers have to be selective about where they invest their security effort and training. The Common Weakness Enumeration (CWE) list of most dangerous software errors, for example, points at different classes of vulnerabilities based on their relative frequency of occurrence over the past two years. 

Yet, developers have trouble closing security holes in a timely manner. In a report based on tests of more than 85,000 applications, software security firm Veracode found that companies only manage to fix 56% of vulnerabilities between the first and last scans.

From its scans of open-source repositories and the commits — changes made by the developers — to those projects, the company can track the ebb and flow of vulnerabilities as they are deployed to code, caught, and then fixed. The list of the most important security vulnerabilities can act as a cheat sheet for developers, Paskalev says.

“Almost any large open-source framework has these issues, so it’s good to know what to look out for,” he says. 

The list created by DeepCode does not count just the most common vulnerabilities, but instead what the company considers the most important. The top category of defect is malformed date-time values and the mishandling of those variables, but those bugs typically do not have a major impact on programs, Paskalev says. The company categorizes vulnerabilities into 200 categories and focuses on the most impactful for the list.

“A bug could be anything from an unsanitized input to broken pipes,” he says. “Most of them result in performance degradation or a resource or memory leak, things like that.”

Automated tools are critical to finding vulnerabilities and catching coding errors before the software is deployed, especially as software is produced with increasing velocity, Paskalev says.

“A set of tools — automated tools — are needed to make sure they catch these issues,” he says. “You want to check as often as possible. I almost see a continuous checking like a debugger.”

Yet, corporate management also needs to create an environment where security is a focus for developers. While seven in ten developers are expected to write secure code in their jobs, half of developers only find coding errors after applications are deployed to a test environment or to a later stage, according to a July report by DevOps service provider GitLab. 

Related Content

• SQL Injection Errors No Longer the Top Software Security Issue
• About 50% of Apps Are Accruing Unaddressed Vulnerabilities
• Software Developers Face Secure Coding Challenges
• 6 Ways Mature DevOps Teams Are Killing It in Security

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What Tools Will Find Misconfigurations in My AWS S3 Cloud Buckets?”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/application-security/developers-still-dont-properly-handle-sensitive-data-/d/d-id/1336752?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

On the opening day of the huge Consumer Electronics Show (CES), officials in Las Vegas were busy assessing the damage from a cyberattack that hit the city. Officials there reportedly said preliminary analysis indicated that no sensitive data was compromised in the attack, which began around 4:30 a.m. local time Tuesday, Jan. 7.

The attack reportedly appears to have begun with a malicious link included in an email to a city employee. There was thus far was no indication that the attack was either related to the recent military activity with Iran, or the beginning of CES.

This is a developing story. For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Car Hacking Hits the Streets“

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/las-vegas-suffers-cyberattack-on-first-day-of-ces-/d/d-id/1336753?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple